Difference between revisions of "MD4"
(→Collision Attacks) |
(→Preimage Attacks) |
||
(5 intermediate revisions by 2 users not shown) | |||
Line 4: | Line 4: | ||
* max. message length: < 2<sup>64</sup> bits | * max. message length: < 2<sup>64</sup> bits | ||
* compression function: 512-bit message block, 128-bit chaining variable | * compression function: 512-bit message block, 128-bit chaining variable | ||
− | * Specification: | + | * Specification: [http://www.ietf.org/rfc/rfc1320.txt RFC1320] |
+ | |||
<bibtex> | <bibtex> | ||
@inproceedings{cryptoRivest90, | @inproceedings{cryptoRivest90, | ||
Line 39: | Line 40: | ||
=== Collision Attacks === | === Collision Attacks === | ||
+ | <bibtex> | ||
+ | @inproceedings{iciscYuW07, | ||
+ | author = {Hongbo Yu and Xiaoyun Wang}, | ||
+ | title = {Multi-collision Attack on the Compression Functions of MD4 and 3-Pass HAVAL}, | ||
+ | booktitle = {ICISC}, | ||
+ | year = {2007}, | ||
+ | pages = {206-226}, | ||
+ | url = {http://dx.doi.org/10.1007/978-3-540-76788-6_17}, | ||
+ | editor = {Kil-Hyun Nam and Gwangsoo Rhee}, | ||
+ | publisher = {Springer}, | ||
+ | series = {LNCS}, | ||
+ | volume = {4817}, | ||
+ | isbn = {978-3-540-76787-9}, | ||
+ | abstract = {In this paper, we present a new type of multi-collision attack on the compression functions of both MD4 and 3-Pass HAVAL. Different from Joux’s multi-collision attack, our method focuses on the multi-collision of the compression function. For MD4, we utilize two different feasible collision differential paths to find a 4-collision with about 221 MD4 computations. For 3-Pass HAVAL, we can find a 4-collision with complexity about 2^{30} and a 8-near-collision with complexity 2^9.}, | ||
+ | } | ||
+ | </bibtex> | ||
+ | |||
<bibtex> | <bibtex> | ||
@inproceedings{fseSasakiWOK07, | @inproceedings{fseSasakiWOK07, | ||
Line 65: | Line 83: | ||
} | } | ||
</bibtex> | </bibtex> | ||
+ | |||
<bibtex> | <bibtex> | ||
@inproceedings{fseLeurent07, | @inproceedings{fseLeurent07, | ||
Line 89: | Line 108: | ||
Authentication Protocol of the Post Office Protocol (POP). This shows | Authentication Protocol of the Post Office Protocol (POP). This shows | ||
that collision attacks can be used to attack real protocols, which means that finding collisions is a real threat.} | that collision attacks can be used to attack real protocols, which means that finding collisions is a real threat.} | ||
+ | } | ||
+ | </bibtex> | ||
+ | |||
+ | <bibtex> | ||
+ | @inproceedings{iciscNaitoSKO05, | ||
+ | author = {Yusuke Naito and Yu Sasaki and Noboru Kunihiro and Kazuo Ohta}, | ||
+ | title = {Improved Collision Attack on MD4 with Probability Almost 1}, | ||
+ | booktitle = {ICISC}, | ||
+ | year = {2005}, | ||
+ | pages = {129-145}, | ||
+ | url = {http://dx.doi.org/10.1007/11734727_12}, | ||
+ | editor = {Dongho Won and Seungjoo Kim}, | ||
+ | publisher = {Springer}, | ||
+ | series = {LNCS}, | ||
+ | volume = {3935}, | ||
+ | isbn = {3-540-33354-1}, | ||
+ | abstract = {In EUROCRYPT2005, a collision attack on MD4 was proposed by Wang, Lai, Chen, and Yu. They claimed that collision messages were found with probability 2^{-6} to 2^{-2}, and the complexity was less than 2^8 MD4 hash operations. However, there were some tyops and oversights in their paper. In this paper, first, we reevaluate the exact success probability. Second, we point out the typos and oversights in the paper of Wang et al, and we show how to improve them. Third, we propose a new message modification method for the third round of MD4. From the first result, we reevaluate that the method of Wang et al. can find collision messages with success probability 2^{-5.61}. From the second result, we can find collision messages with success probability 2^{-2}. Also by combining the second result and the third result, our improved method is able to find collision messages with probability almost 1. This complexity is less than 3 repetitions of MD4 hash operations. Our improved method is about 85 times as fast as the method of Wang et al.}, | ||
} | } | ||
</bibtex> | </bibtex> | ||
Line 172: | Line 208: | ||
url = {http://dx.doi.org/10.1007/3-540-60590-8_22} | url = {http://dx.doi.org/10.1007/3-540-60590-8_22} | ||
} | } | ||
+ | </bibtex> | ||
+ | |||
+ | <bibtex> | ||
+ | @inproceedings{cryptoBoerB91, | ||
+ | author = {Bert den Boer and Antoon Bosselaers}, | ||
+ | title = {An Attack on the Last Two Rounds of MD4}, | ||
+ | booktitle = {CRYPTO}, | ||
+ | year = {1991}, | ||
+ | pages = {194-203}, | ||
+ | url = {http://link.springer.de/link/service/series/0558/bibs/0576/05760194.htm}, | ||
+ | editor = {Joan Feigenbaum}, | ||
+ | publisher = {Springer}, | ||
+ | series = {LNCS}, | ||
+ | volume = {576}, | ||
+ | isbn = {3-540-55188-3}, | ||
+ | } | ||
</bibtex> | </bibtex> | ||
Line 181: | Line 233: | ||
=== Preimage Attacks === | === Preimage Attacks === | ||
+ | |||
+ | <bibtex> | ||
+ | @inproceedings{fseLeurent08, | ||
+ | author = {Ga{\"e}tan Leurent}, | ||
+ | title = {MD4 is Not One-Way}, | ||
+ | booktitle = {FSE}, | ||
+ | year = {2008}, | ||
+ | pages = {412-428}, | ||
+ | abstract = {MD4 is a hash function introduced by Rivest in 1990. It is still used in some contexts, and the most commonly used hash functions (MD5, SHA-1, SHA-2) are based on the design principles of MD4. MD4 has been extensively studied and very efficient collision attacks are known, but it is still believed to be a one-way function. In this paper we show a partial pseudo-preimage attack on the compression function of MD4, using some ideas from previous cryptanalysis of MD4. We can choose 64 bits of the output for the cost of 2^32 compression function computations (the remaining bits are randomly chosen by the preimage algorithm). This gives a preimage attack on the compression function of MD4 with complexity 2^96, and we extend it to an attack on the full MD4 with complexity 2^102. As far as we know this is the first preimage attack on a member of the MD4 family. }, | ||
+ | url = {http://dx.doi.org/10.1007/978-3-540-71039-4_26}, | ||
+ | editor = {Kaisa Nyberg}, | ||
+ | publisher = {Springer}, | ||
+ | series = {LNCS}, | ||
+ | volume = {5086}, | ||
+ | isbn = {978-3-540-71038-7}, | ||
+ | } | ||
+ | </bibtex> | ||
<bibtex> | <bibtex> |
Latest revision as of 11:32, 10 November 2008
Contents
1 Specification
- digest size: 128 bits
- max. message length: < 264 bits
- compression function: 512-bit message block, 128-bit chaining variable
- Specification: RFC1320
Ronald L. Rivest - The MD4 Message Digest Algorithm
- CRYPTO 537:303-311,1990
- http://link.springer.de/link/service/series/0558/bibs/0537/05370303.htm
BibtexAuthor : Ronald L. Rivest
Title : The MD4 Message Digest Algorithm
In : CRYPTO -
Address :
Date : 1990
2 Cryptanalysis
2.1 Best Known Results
2.2 Generic Attacks
2.3 Collision Attacks
Hongbo Yu, Xiaoyun Wang - Multi-collision Attack on the Compression Functions of MD4 and 3-Pass HAVAL
- ICISC 4817:206-226,2007
- http://dx.doi.org/10.1007/978-3-540-76788-6_17
BibtexAuthor : Hongbo Yu, Xiaoyun Wang
Title : Multi-collision Attack on the Compression Functions of MD4 and 3-Pass HAVAL
In : ICISC -
Address :
Date : 2007
Yu Sasaki, Lei Wang, Kazuo Ohta, Noboru Kunihiro - New Message Difference for MD4
- FSE 4593:329-348,2007
- http://dx.doi.org/10.1007/978-3-540-74619-5_21
BibtexAuthor : Yu Sasaki, Lei Wang, Kazuo Ohta, Noboru Kunihiro
Title : New Message Difference for MD4
In : FSE -
Address :
Date : 2007
Gaëtan Leurent - Message Freedom in MD4 and MD5 Collisions: Application to APOP
- FSE 4593:309-328,2007
- http://dx.doi.org/10.1007/978-3-540-74619-5_20
BibtexAuthor : Gaëtan Leurent
Title : Message Freedom in MD4 and MD5 Collisions: Application to APOP
In : FSE -
Address :
Date : 2007
Yusuke Naito, Yu Sasaki, Noboru Kunihiro, Kazuo Ohta - Improved Collision Attack on MD4 with Probability Almost 1
- ICISC 3935:129-145,2005
- http://dx.doi.org/10.1007/11734727_12
BibtexAuthor : Yusuke Naito, Yu Sasaki, Noboru Kunihiro, Kazuo Ohta
Title : Improved Collision Attack on MD4 with Probability Almost 1
In : ICISC -
Address :
Date : 2005
Xiaoyun Wang, Xuejia Lai, Dengguo Feng, Hui Chen, Xiuyuan Yu - Cryptanalysis of the Hash Functions MD4 and RIPEMD
- EUROCRYPT 3494:1-18,2005
- http://dx.doi.org/10.1007/11426639_1
BibtexAuthor : Xiaoyun Wang, Xuejia Lai, Dengguo Feng, Hui Chen, Xiuyuan Yu
Title : Cryptanalysis of the Hash Functions MD4 and RIPEMD
In : EUROCRYPT -
Address :
Date : 2005
Hans Dobbertin - Cryptanalysis of MD4
- J. Cryptology 11(4):253-271,1998
- http://link.springer.de/link/service/journals/00145/bibs/11n4p253.html
BibtexAuthor : Hans Dobbertin
Title : Cryptanalysis of MD4
In : J. Cryptology -
Address :
Date : 1998
Hans Dobbertin - Cryptanalysis of MD4
- FSE 1039:53-69,1996
- http://dx.doi.org/10.1007/s001459900047
BibtexAuthor : Hans Dobbertin
Title : Cryptanalysis of MD4
In : FSE -
Address :
Date : 1996
Serge Vaudenay - On the Need for Multipermutations: Cryptanalysis of MD4 and SAFER
- FSE 1008:286-297,1995
- http://dx.doi.org/10.1007/3-540-60590-8_22
BibtexAuthor : Serge Vaudenay
Title : On the Need for Multipermutations: Cryptanalysis of MD4 and SAFER
In : FSE -
Address :
Date : 1995
Bert den Boer, Antoon Bosselaers - An Attack on the Last Two Rounds of MD4
- CRYPTO 576:194-203,1991
- http://link.springer.de/link/service/series/0558/bibs/0576/05760194.htm
BibtexAuthor : Bert den Boer, Antoon Bosselaers
Title : An Attack on the Last Two Rounds of MD4
In : CRYPTO -
Address :
Date : 1991
2.4 Second Preimage Attacks
2.5 Preimage Attacks
Ga\"etan Leurent - MD4 is Not One-Way
- FSE 5086:412-428,2008
- http://dx.doi.org/10.1007/978-3-540-71039-4_26
BibtexAuthor : Ga\"etan Leurent
Title : MD4 is Not One-Way
In : FSE -
Address :
Date : 2008
Hans Dobbertin - The First Two Rounds of MD4 are Not One-Way
- FSE 1372:284-292,1998
- http://dx.doi.org/10.1007/3-540-69710-1_19
BibtexAuthor : Hans Dobbertin
Title : The First Two Rounds of MD4 are Not One-Way
In : FSE -
Address :
Date : 1998
2.6 Others
<bibtex> @inproceedings{fseSchlafferO06,
author = {Martin Schläffer and Elisabeth Oswald}, title = {Searching for Differential Paths in MD4}, pages = {242-261}, url = {http://dx.doi.org/10.1007/11799313_16}, booktitle = {FSE}, publisher = {Springer}, series = {LNCS}, volume = {4047}, year = {2006}, isbn = {3-540-36597-4}, abstract = {The ground-breaking results of Wang et al.
have attracted a lot of attention to the collision resistance of hash functions. In their articles, Wang et al. give input differences, differential paths and the corresponding conditions that allow to find collisions with a high probability. However, Wang et al. do not explain how these paths were found. The common assumption is that they were found by hand with a great deal of intuition. In this article, we present an algorithm that allows to find paths in an automated way. Our algorithm is successful for MD4. We have found over 1000 differential paths so far. Amongst them, there are paths that have fewer conditions in the second round than the path of Wang et al. for MD4. This makes them better suited for the message modification techniques that were also introduced by Wang et al.} }